Shibboleth and OpenSSL 1.1

Cantor, Scott cantor.2 at
Sat Oct 29 15:04:33 UTC 2016

> Well, xmltooling has grown an openssl1.1 branch upstream and
> is active (though
> not optimistic).

It's making progress. There are no plans to release anything before late 2017 and even that depends on the funding situation and the Board's decision about priorities.

Ultimately, the official timeline I have is "ahead of OpenSSL ending support for 1.0.2", which is 12/31/2019. We have much bigger fish to fry with Spring, Java 8, and other considerations wth the IdP to worry about a library that's supported for 3 more years.

> Since xmltooling depends on xml-security-c and
> mentions OpenSSL 1.1 as a non-issue, I'm somewhat baffled by #828607,
> but it certainly looks genuine.

Santuario does not yet support 1.1, and the Shibboleth Project, as the only maintainers of that code, is forced to fix it as part of dealing with the changes. That work is being done along with the rest of the changes and the patches are probably checked in somewhere or possibly in our Jira, I know Rod sent them to me for review.

>  It also looks easy to solve by the very example advertised at

The changes aren't hard but they are a lot of work to test. They impact hugely sensitive parts of both libraries and we are taking great pain to avoid breaking things. All of our key management code and some of the algorithm implementations are all using the old key structures because there was no other way to do that work.

Rod's writing a bunch of unit tests, none of which have existed to date, to try and make sure we don't swap a p and q somewhere.

I don't have any plans to rush the Santuario patches into place, but I'll probably get them in sometime next year. I don't know if I'll do a release just for that, but I doubt it.

-- Scott

More information about the Pkg-shibboleth-devel mailing list